Topic: bos commands can be spoofed, including some which alter server state
       CVE-2015-3283

Issued:         29-July-2015
Last Update:    29-July-2015
Affected:       OpenAFS versions through 1.6.12

bos commands executed with authentication but not in crypted mode can
be used to spoof other operations.

SUMMARY
=======

bos defaults to no encryption and clear connections. The authentication data does not protect the payload. As such, a connection may be snooped and used to spoof unintended RPCs over the network.

IMPACT
======

A server not in restricted mode can be modified in ways not intended depending on the privilege level of the caller.


AFFECTED SOFTWARE
=================

The bos and bosserver executables in versions through 1.6.12 are affected.


FIXES
=====

The OpenAFS project recommends that administrators of fileservers upgrade
to OpenAFS version 1.6.13 or newer.

For those sites unable, or unwilling, to upgrade a patch which resolves this
issue is available directly from:

  http://www.openafs.org/security/openafs-sa-2015-002.patch

The latest stable OpenAFS release is always available from
http://www.openafs.org/release/latest.html

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

  http://www.openafs.org/security/

The main OpenAFS web page is at:

  http://www.openafs.org/